Files for ransom

Ransomware has emerged as the latest security worry. How big is your risk?

As if phishing, pharming and phraud weren't frustrating enough, the latest cybersecurity threat - ransomware - is an extortion scheme.

Ransomware involves the use of malicious code to hijack user files, encrypt them and then demand payment in exchange for the decryption key. The good news is that documented attacks have been rare. The bad news is that cases are on the rise, says FBI spokesman Paul Bresson.

Discuss - Join the conversation on ransomware.

One of the earliest recorded cases of ransomware was documented by Web-filtering software vendor Websense in May. A call from a panicked user revealed the swiftness and thoroughness of the attack. "All of a sudden, the files on his computer were in a format that was not human readable," says Dan Hubbard, Websense's senior director of security. Only one file - named "Important" - could be read. It contained the filenapper's instructions to send an e-mail to receive the decoder key. When the victim complied, a ransom note demanding $200 arrived. What might have been a malicious prank turned into a serious crime.

Assessing the risk

Fortunately, most end users only know about ransomware through media reports, not by direct experience. Perry Jarvis, network operations manager for the city of Burbank, is almost cavalier in his assessment of the ransomware risk. "Blocking this type of attack is already being performed by most companies," he says. Before files can be encrypted and then held for ransom, the attacker would have to gain access to the system - and most security professionals already are watching for intrusions and other forms of cyberextortion, he explains. More common than ransomware is a scheme where hackers break into a system - proving they can do it - and then demand payment not to attack. Gaming sites have been hit with this sort of crime, and some accept it as a cost of doing business, paying tens of thousands of dollars a year, according to sources.

Of all the ways a hacker could choose to do damage, ransomware is a fairly high-risk operation, says Gary Morse, president of penetration test company Razorpoint Security Technologies. "There are at least four or five points of contact necessary to pull this off," he says, noting that the criminal has to break into the system, leave malicious code behind, notify the victim, wait for a response, and get paid. Certainly, he adds, if one wants to earn a living through hacking, there are safer ways.

Just because the scheme is high risk, doesn't mean attacks won't dramatically increase or become more sophisticated. Ransomware would become a real danger, Jarvis says, when applied to mission-critical information assets stored on database servers. That, he says, would require almost combat-like planning to pull off.

Protecting your network

As with most security issues, the best defense is a good offense. Although cyberextortion attacks can be carried out through traditional channels, such as e-mail attachments or direct access to the network, most instances are browser-based.

In the Websense case, for example, a forensic investigation revealed that someone at the targeted company had visited a Web site that had been hacked. The site spread its malicious code through an Internet Explorer vulnerability. A Trojan horse was dropped on to the victim's network and searched all of the system directories and mapped drives. The program encrypted the files, left the ransom note and deleted itself.

On a positive note, special "ransomware" products are not necessary, nor are vendors particularly marketing themselves in that vein. Instead, making sure every user device that sports a browser has the latest patches is the first and most obvious protection. The multiple layers of security that the typical corporation already has in place - firewalls, anti-virus, intrusion detection, Web monitoring and so on - will most likely stop the malware before it infects the network, says Robert Rosen, CIO for the National Institute of Arthritis of Musculoskeletal and Skin Diseases, in Bethesda, Md., and president of the IBM users' group, Share. "Ransomware uses all the same vulnerabilities we already know about. We just haven't fixed them yet," he says.

6 questions to ask concerning ransomware Do you have any experience in detecting or disarming ransomware attacks? Can you offer protection against security attacks that occur quickly? (A variety of attacks can be performed at more than 1 million packets per second.) If my company comes under a ransomware attack, how might you be able to help me quickly decrypt the affected files? Once a vulnerability is found, how long do you typically take to distribute a patch? If I suspect a thwarted ransomware attack, how should I report it to you, and how will you inform the authorities while protecting my confidential information? What kinds of innovative technologies do you offer to battle dangers such as Trojan horses and key loggers that work through the Web and often go undetected by — or can even disable — anti-virus software?

Razorpoint's Morse agrees. Cybercriminals intent on extortion attacks might exploit a firm's negligence. "Sometimes people aren't minding the store the way they should be," he says.

Even so, the increase in browser-based attacks points to another hard truth for many companies - their employees are their biggest security liability. "The employees are the ones who are going to open the back door" and let in the malware, Rosen says.

If an accounts receivable manager receives a demand for ransom, will he know what to do? For end users, Rosen says, playing the "What if?" game is important. The best chance of preventing panic is to give employees clear instructions about responding to these kinds of threats. "We've spent a lot of time and effort trying to educate people here about the threats, and it clearly works," he adds.

No one knows

The extortionist wannabe who attacked Websense's client never did get the ransom. Websense was able to reverse-engineer the malicious coding and decrypt the nabbed files without money changing hands.

But the incident established a frightening precedent. No one knows how many ransomware attacks there have been. Websense hasn't received any additional reports, and Symantec reports seeing only three or four variants of the scheme. Renaud Bidou, a security consultant for Radware, an application security provider, has encountered about a half-dozen incidents since October 2004.

But, like victims of any security incident, those targeted by ransomware tend to keep quiet about it, especially if they've ponied up and paid. Admitting that, Bidou says, is like announcing, "Hey! Attack me - I pay!"

Still, you can protect yourself. Filenappers can't demand a ransom if they don't have control of your network.

Schaibly is a freelance writer in Fort Collins, Colo. She can be reached at sschaibly@aol.com.